joplin-server-bf Scenario

« joplin-server-bf »
v0.3 by xs539
Attack scenarioremediation:trueservice:joplinspoofable:0MITRE:T1110confidence:3

Detect Joplin Server bruteforce

Installation

cscli scenarios install xs539/joplin-server-bf

YAML Configuration

1type: leaky
2name: xs539/joplin-server-bf
3description: "Detect Joplin Server bruteforce"
4filter: "evt.Meta.log_type == 'joplin_server_failed_auth'"
5groupby: evt.Meta.source_ip
6leakspeed: 15m
7capacity: 3
8blackhole: 1m
9labels:
10  service: joplin
11  confidence: 3
12  spoofable: 0
13  classification:
14    - attack.T1110
15  label: "Joplin Bruteforce"
16  behavior: "http:bruteforce"
17  remediation: true
18---
19type: leaky
20name:  xs539/joplin-server-bf_user-enum
21description: "Detect Joplin Server bruteforce"
22filter: "evt.Meta.log_type == 'joplin_server_failed_auth'"
23groupby: evt.Meta.source_ip
24distinct: evt.Meta.target_user
25leakspeed: 15m
26capacity: 3
27blackhole: 1m
28labels:
29  service: joplin
30  confidence: 3
31  spoofable: 0
32  classification:
33    - attack.T1589
34  label: "Joplin User Enumeration"
35  behavior: "http:bruteforce"
36  remediation: true

Hub configuration

« joplin-server-bf »v0.3 by xs539Attack scenarioremediation:trueservice:joplinspoofable:0MITRE:T1110confidence:3

« joplin-server-bf »
v0.3 by xs539
Attack scenarioremediation:trueservice:joplinspoofable:0MITRE:T1110confidence:3